Mozilla Foundation Security Advisory 2009-49

TreeColumns dangling pointer vulnerability

Announced

September 9, 2009

Reporter

TippingPoint ZDI

Impact

Critical

Products

Firefox

Fixed in

Firefox 3.0.14

Firefox 3.5.3

Description

An anonymous security researcher, via TippingPoint's Zero Day
Initiative, reported that the columns of a XUL tree element could be
manipulated in a particular way which would leave a pointer owned by
the column pointing to freed memory. An attacker could potentially
use this vulnerability to crash a victim's browser and run arbitrary
code on the victim's computer.